A cybersecurity firm says a popular Android screen recording app that racked up tens of thousands of downloads on Google’s app store subsequently began spying on its users, including by stealing microphone recordings and other documents from the user’s phone.

Research by ESET found that the Android app, “iRecorder — Screen Recorder,” introduced the malicious code as an app update almost a year after it was first listed on Google Play. The code, according to ESET, allowed the app to stealthily upload a minute of ambient audio from the device’s microphone every 15 minutes, as well as exfiltrate documents, web pages and media files from the user’s phone.

The app is no longer listed in Google Play. If you have installed the app, you should delete it from your device. By the time the malicious app was pulled from the app store, it had racked up more than 50,000 downloads.

ESET is calling the malicious code AhRat, a customized version of an open source remote access trojan called AhMyth. Remote access trojans (or RATs) take advantage of broad access to a victim’s device and can often include remote control, but also function similarly to spyware and stalkerware.

Lukas Stefanko, a security researcher at ESET who discovered the malware, said in a blog post that the iRecorder app contained no malicious features when it first launched in September 2021.

Once the malicious AhRat code was pushed as an app update to existing users (and new users who would download the app directly from Google Play), the app began stealthily accessing the user’s microphone and uploading the user’s phone data to a server controlled by the malware’s operator. Stefanko said that the audio recording “fit within the already defined app permissions model,” given that the app was by nature designed to capture the device’s screen recordings and would ask to be granted access to the device’s microphone.

It’s not clear who planted the malicious code — whether the developer or someone else — or for what reason. TechCrunch emailed the developer’s email address that was on the app’s listing before it was pulled, but has not yet heard back.

Stefanko said the malicious code is likely part of a wider espionage campaign — where hackers work to collect information on targets of their choosing — sometimes on behalf of governments or for financially motivated reasons. He said it was “rare for a developer to upload a legitimate app, wait almost a year, and then update it with malicious code.”

It’s not uncommon for bad apps to slip into the app stores, nor is it the first time AhMyth has crept its way into Google Play. Both Google and Apple screen apps for malware before listing them for download, and sometimes act proactively to pull apps when they might put users at risk. Last year, Google said it prevented more than 1.4 million privacy-violating apps from reaching Google Play.